Home / electron-userland / electron-builder
Repository Analysis

electron-userland/electron-builder

A complete solution to package and build a ready for distribution Electron app with “auto update” support out of the box

3.4 Likely human-written View on GitHub
3.4
Adjusted Score
3.4
Raw Score
100%
Time Factor
2026-05-30
Last Push
14,569
Stars
TypeScript
Language
132,830
Lines of Code
568
Files
209
Pattern Hits
2026-05-31
Scan Date

Score History

Severity Breakdown

CRITICAL 0HIGH 7MEDIUM 101LOW 101

Pattern Findings

209 matches across 9 categories. Click a row to expand file-level details.

Decorative Section Separators91 hits · 282 pts
SeverityFileLineSnippet
MEDIUMtest/src/certInfoTest.ts14// ─── Test fixture paths ───────────────────────────────────────────────────────
MEDIUMtest/src/certInfoTest.ts121// ─── Unit tests ───────────────────────────────────────────────────────────────
MEDIUMtest/src/certInfoTest.ts155// ─── Additional logic-path tests ─────────────────────────────────────────────
MEDIUMtest/src/certInfoTest.ts187// ─── Parity tests: JS implementation vs app-builder-bin binary ───────────────
MEDIUMtest/src/certInfoTest.ts238// ─── Security: pkcs12PasswordToUtf16 encoding ────────────────────────────────
MEDIUMtest/src/certInfoTest.ts265// ─── Security: pkcs12PbeDeriveKey key derivation ─────────────────────────────
MEDIUMtest/src/certInfoTest.ts314 // ── DoS prevention: iteration count bounds ────────────────────────────────
MEDIUMtest/src/certInfoTest.ts360// ─── readCertInfo — multiple certificates in one PFX ─────────────────────────
MEDIUMtest/src/certInfoTest.ts377// ─── readCertInfo — legacy PBE error path ────────────────────────────────────
MEDIUMtest/src/certInfoTest.ts387// ─── readCertInfo — malformed / corrupted input ───────────────────────────────
MEDIUMtest/src/certInfoTest.ts407// ─── rc2CbcDecrypt — known-answer tests (RFC 2268) ───────────────────────────
MEDIUMtest/src/certInfoTest.ts466// ─── readCertInfo — RC2-40 encrypted PFX ─────────────────────────────────────
MEDIUMtest/src/certInfoTest.ts484// ─── rc2CbcDecrypt — input validation / security guards ──────────────────────
MEDIUMtest/src/certInfoTest.ts543// ─── pkcs12PbeDeriveKey — salt size guard ────────────────────────────────────
MEDIUMtest/src/cliTest.ts4// ─── Module mocks (hoisted by vitest above all imports) ───────────────────────
MEDIUMtest/src/cliTest.ts39// ─── Imports ──────────────────────────────────────────────────────────────────
MEDIUMtest/src/cliTest.ts55// ─── clearCache ───────────────────────────────────────────────────────────────
MEDIUMtest/src/cliTest.ts148// ─── wrap ─────────────────────────────────────────────────────────────────────
MEDIUMtest/src/cliTest.ts204// ─── quoteString ─────────────────────────────────────────────────────────────
MEDIUMtest/src/cliTest.ts228// ─── Command configuration ───────────────────────────────────────────────────
MEDIUMtest/src/ksuidTest.ts31// ─── Unit tests ──────────────────────────────────────────────────────────────
MEDIUMtest/src/ksuidTest.ts104// ─── Parity tests: JS implementation vs app-builder-bin binary ───────────────
MEDIUMtest/src/binDownloadTest.ts45 // ─── getBinFromUrl ──────────────────────────────────────────────────────────
MEDIUMtest/src/binDownloadTest.ts116 // ─── getBin ─────────────────────────────────────────────────────────────────
MEDIUMtest/src/binDownloadTest.ts143 // ─── getBinFromCustomLoc ────────────────────────────────────────────────────
MEDIUMtest/src/electronGetTest.ts20// ─── getCacheDirectory ────────────────────────────────────────────────────────
MEDIUMtest/src/electronGetTest.ts183// ─── Shared temp cache dir for functional tests ───────────────────────────────
MEDIUMtest/src/electronGetTest.ts196// ─── downloadArtifact: generic artifacts (.tar.gz) ───────────────────────────
MEDIUMtest/src/electronGetTest.ts307// ─── downloadElectronArtifact: electron platform artifacts (.zip) ────────────
MEDIUMtest/src/electronGetTest.ts459 // ─── downloadElectronArtifact: electron distribution zip (heavy) ──────────────
MEDIUMtest/src/electronGetTest.ts483// ─── Proxy integration ────────────────────────────────────────────────────────
MEDIUMtest/src/updateInfoBuilderTest.ts44// ── NSIS multi-arch ordering (issue #9745) ──────────────────────────────────
MEDIUMtest/src/updateInfoBuilderTest.ts44// ── NSIS multi-arch ordering (issue #9745) ──────────────────────────────────
MEDIUMtest/src/updateInfoBuilderTest.ts105// ── macOS zip-first behavior (backward compat) ──────────────────────────────
MEDIUMtest/src/updateInfoBuilderTest.ts127// ── Edge cases ───────────────────────────────────────────────────────────────
MEDIUMtest/src/updateInfoBuilderTest.ts227// ── createUpdateInfoTasks unit tests ─────────────────────────────────────────
MEDIUMtest/src/updateInfoBuilderTest.ts286// ─────────────────────────────────────────────────────────────────────────────
MEDIUMtest/src/s3BucketLocationTest.ts17// ─── Mock helper ─────────────────────────────────────────────────────────────
MEDIUMtest/src/s3BucketLocationTest.ts45// ─── Unit tests ───────────────────────────────────────────────────────────────
MEDIUMtest/src/s3BucketLocationTest.ts112// ─── Credential chain: getBucketLocation forwards resolved credentials ────────
MEDIUMtest/src/s3BucketLocationTest.ts146// ─── Output-format contract: JS implementation vs app-builder-bin binary ─────
MEDIUMtest/src/s3BucketLocationTest.ts176// ─── Credential resolution unit tests ────────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts6// ─── Hoist mocks before any module imports ────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts13// ─── Imports after mocks ──────────────────────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts24// ─── Helpers ──────────────────────────────────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts78// ─── getS3ContentType ─────────────────────────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts96// ─── S3Publisher — getS3UploadConfig ─────────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts132// ─── S3Publisher — getUploadExtraParams ──────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts169// ─── SpacesPublisher — getS3UploadConfig ─────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts217// ─── Upload — key construction and request params ────────────────────────────
MEDIUMtest/src/s3PublishTest.ts344// ─── Upload — test mode bypass ────────────────────────────────────────────────
MEDIUMtest/src/s3PublishTest.ts380// ─── Parity contract: Go binary publish-s3 flag → TS header/URL mapping ──────
MEDIUMtest/src/updater/blackboxInstallWindows.ts10// ─── native Windows ───────────────────────────────────────────────────────────
MEDIUMtest/src/updater/blackboxInstallWindows.ts92// ─── Parallels VM ─────────────────────────────────────────────────────────────
MEDIUMtest/src/linux/test-snap.sh18# ─────
MEDIUMtest/src/linux/test-snap.sh36# ─────────────
MEDIUMtest/src/linux/test-snap.sh91# ── helpers ───────────────────────────────────────────────────────────────────
MEDIUMtest/src/linux/test-snap.sh110# ── dispatch ──────────────────────────────────────────────────────────────────
MEDIUMtest/src/linux/snapcraftTest.ts13 // ─── legacy cores (core18 / core20 / core22) ─────────────────────────────────
MEDIUMtest/src/linux/snapcraftTest.ts198 // ─── core24 tests ────────────────────────────────────────────────────────────
31 more matches not shown…
Hyper-Verbose Identifiers74 hits · 74 pts
SeverityFileLineSnippet
LOWtest/vitest-scripts/smart-shard-count.ts11function computeShardIndicesForPlatform(platform: TargetPlatform): number[] {
LOWtest/vitest-scripts/generate-toolset-tests-windows.ts116export function generateWindowsToolsetTests(): void {
LOWtest/vitest-scripts/generate-toolset-tests-linux.ts54export function generateLinuxToolsetTests(): void {
LOWtest/src/updater/differentialUpdateLinuxSuite.ts11export function registerDifferentialLinuxTests(toolset: Required<Pick<ToolsetConfig, "appimage">>): void {
LOWtest/src/updater/blackboxUpdateHelpers.ts184async function handleInitialInstallPerOS({
LOWtest/src/updater/blackboxUpdateLinuxSuite.ts8export function registerBlackboxLinuxTests(toolset: Required<Pick<ToolsetConfig, "appimage">>): void {
LOWtest/src/updater/blackboxUpdateLinuxSuite.ts34export function registerBlackboxLinuxPackageManagerTests(): void {
LOWtest/src/updater/differentialUpdateWinSuite.ts11export function registerDifferentialWinTests(toolsets: ToolsetConfig): void {
LOWtest/src/linux/linuxPackagerTestSuite.ts19export function registerLinuxPackagerTests(toolsets: ToolsetConfig): void {
LOWtest/src/windows/winCodeSignTest.ts28function makeSignQueueTestPackager(signIfResults: SignIfResult[]) {
LOWtest/src/windows/winCodeSignTest.ts50function makeSequentialSignTestPackager() {
LOWtest/src/windows/squirrelWindowsTestSuite.ts7export function registerSquirrelWindowsTests(toolsets: ToolsetConfig): void {
LOWtest/src/windows/assistedInstallerTestSuite.ts10export function registerAssistedInstallerTests(toolsets: ToolsetConfig): void {
LOWtest/src/helpers/launchAppCrossPlatform.ts484export async function deliverAndInstallSnapInVm(vm: VmManager, snapPath: string, opts: VmSnapOptions): Promise<{ version
LOWtest/src/helpers/launchAppCrossPlatform.ts572export async function installAndLaunchSnapLocally(snapPath: string, opts: VmSnapOptions): Promise<{ version: string }> {
LOWtest/src/helpers/packTester.ts43export function getPackageManagerWithVersion(pm: PM, packageManagerAndVersionString?: string) {
LOWtest/src/helpers/packTester.ts75function getLockfileFixtureNameCandidates(currentTestName: string): Array<string> {
LOWtest/src/helpers/providerTestUtil.ts38export function assertDownloadNotTriggered(expect: ExpectStatic, result: any, actualEvents: string[]): void {
LOWpackages/electron-updater/src/providerFactory.ts23export function isUrlProbablySupportMultiRangeRequests(url: string): boolean {
LOW…ater/src/differentialDownloader/downloadPlanBuilder.ts92function validateAndAdd(operation: Operation, operations: Array<Operation>, checksum: string, index: number): void {
LOW…/src/differentialDownloader/multipleRangeDownloader.ts8export function executeTasksUsingMultipleRangeRequests(
LOWpackages/app-builder-lib/src/fileTransformer.ts64export function createElectronCompilerHost(projectDir: string, cacheDir: string): Promise<CompilerHost> {
LOWpackages/app-builder-lib/src/wine.ts25export function prepareWindowsExecutableArgs(args: Array<string>, exePath: string) {
LOWpackages/app-builder-lib/src/platformPackager.ts916export function computeSafeArtifactNameIfNeeded(suggestedName: string | null, safeNameProducer: () => string): string |
LOW…lib/src/options/CommonWindowsInstallerConfiguration.ts85function convertToDesktopShortcutCreationPolicy(value: boolean | undefined | string): DesktopShortcutCreationPolicy {
LOW…uilder-lib/src/node-module-collector/packageManager.ts88function detectPackageManagerByEnv(): PM | null {
LOW…uilder-lib/src/node-module-collector/packageManager.ts102async function detectPackageManagerByFile(dir: string): Promise<PM | null> {
LOW…ges/app-builder-lib/src/node-module-collector/index.ts17export function getCollectorByPackageManager(pm: PM, rootDir: string, tempDirManager: TmpDir) {
LOW…ges/app-builder-lib/src/node-module-collector/index.ts113async function findNearestPackageJsonWithWorkspacesField(dir: string): Promise<string | undefined> {
LOWpackages/app-builder-lib/src/util/appFileCopier.ts159function getNodeModuleExcludedExts(platformPackager: PlatformPackager<any>) {
LOWpackages/app-builder-lib/src/util/appFileCopier.ts181export async function computeNodeModuleFileSets(platformPackager: PlatformPackager<any>, mainMatcher: FileMatcher): Prom
LOWpackages/app-builder-lib/src/util/appFileCopier.ts213async function collectNodeModulesWithLogging(platformPackager: PlatformPackager<any>) {
LOWpackages/app-builder-lib/src/util/appFileCopier.ts253async function compileUsingElectronCompile(mainFileSet: ResolvedFileSet, packager: Packager): Promise<ResolvedFileSet> {
LOWpackages/app-builder-lib/src/util/license.ts27export async function getNotLocalizedLicenseFile(
LOWpackages/app-builder-lib/src/util/appBuilder.ts18export function executeAppBuilderAndWriteJson(args: Array<string>, data: any, extraOptions: SpawnOptions = {}): Promise<
LOWpackages/app-builder-lib/src/util/macosIconComposer.ts54export async function generateAssetCatalogForIcon(inputPath: string): Promise<AssetCatalogResult> {
LOWpackages/app-builder-lib/src/util/macosVersion.ts21async function isOsVersionGreaterThanOrEqualTo(input: string) {
LOWpackages/app-builder-lib/src/util/electronGet.ts404function buildElectronArtifactConfig(options: ArtifactDownloadOptions): ElectronPlatformArtifactDetails {
LOWpackages/app-builder-lib/src/util/electronGet.ts452export function downloadElectronArtifactZip(options: ArtifactDownloadOptions): Promise<string> {
LOWpackages/app-builder-lib/src/util/flags.ts11export function isAutoDiscoveryCodeSignIdentity() {
LOW…kages/app-builder-lib/src/util/normalizePackageData.ts187function fixBundleDependenciesField(data: any) {
LOWpackages/app-builder-lib/src/util/config/config.ts89async function loadParentConfigsRecursively(configExtends: Configuration["extends"], loader: (configExtend: string) => P
LOWpackages/app-builder-lib/src/util/config/config.ts267export async function computeDefaultAppDirectory(projectDir: string, userAppDir: string | Nullish): Promise<string> {
LOWpackages/app-builder-lib/src/targets/FlatpakTarget.ts180function filterFlatpakAppIdentifier(identifier: string) {
LOW…ilder-lib/src/targets/differentialUpdateInfoBuilder.ts11export function createNsisWebDifferentialUpdateInfo(artifactPath: string, packageFiles: { [arch: string]: PackageFileInf
LOW…ilder-lib/src/targets/differentialUpdateInfoBuilder.ts35export function configureDifferentialAwareArchiveOptions(archiveOptions: ArchiveOptions): ArchiveOptions {
LOWpackages/app-builder-lib/src/targets/targetUtil.ts39export function getWindowsInstallationDirName(appInfo: AppInfo, isTryToUseProductName: boolean): string {
LOWpackages/app-builder-lib/src/targets/targetUtil.ts44export function getWindowsInstallationAppPackageName(appName: string): string {
LOW…kages/app-builder-lib/src/targets/LinuxTargetHelper.ts73function mapLinuxCompressionToSnap(level: CompressionLevel | null | undefined): "xz" | "lzo" | undefined {
LOWpackages/app-builder-lib/src/targets/targetFactory.ts8export function computeArchToTargetNamesMap(raw: Map<Arch, Array<string>>, platformPackager: PlatformPackager<any>, plat
LOWpackages/app-builder-lib/src/targets/nsis/nsisLang.ts70export async function addCustomMessageFileInclude(input: string, packager: PlatformPackager<any>, scriptGenerator: NsisS
LOWpackages/app-builder-lib/src/targets/nsis/nsisLang.ts77function computeCustomMessageTranslations(messages: any, langConfigurator: LangConfigurator): Array<string> {
LOW…s/app-builder-lib/src/targets/snap/snapcraftBuilder.ts43async function validateSnapcraftYamlWithCLI(workDir: string): Promise<void> {
LOW…s/app-builder-lib/src/targets/snap/snapcraftBuilder.ts317async function ensureRemoteBuildAuthentication(cscLink: string | undefined, resourcesDir: string | undefined): Promise<R
LOW…s/app-builder-lib/src/targets/appimage/appImageUtil.ts40export async function buildStaticRuntimeAppImage(appimageToolVersion: ToolsetConfig["appimage"], opts: AppImageBuilderOp
LOW…s/app-builder-lib/src/targets/appimage/appImageUtil.ts114export function validateCriticalPathString(str: string, fieldName: string): void {
LOW…s/app-builder-lib/src/targets/appimage/appImageUtil.ts122async function writeAppLauncherAndRelatedFiles(opts: AppImageBuilderOptions): Promise<void> {
LOWpackages/app-builder-lib/src/vm/ParallelsVm.ts109export function macPathToParallelsWindows(file: string) {
LOW…kages/app-builder-lib/src/publish/updateInfoBuilder.ts36function isGenerateUpdatesFilesForAllChannels(packager: PlatformPackager<any>) {
LOW…kages/app-builder-lib/src/publish/updateInfoBuilder.ts70function getArchPrefixForUpdateFile(arch: Arch | null, packager: PlatformPackager<any>) {
14 more matches not shown…
Cross-Language Confusion (JS/TS)7 hits · 35 pts
SeverityFileLineSnippet
HIGHtest/src/helpers/launchAppCrossPlatform.ts519elif [ -n "\$XVFB_BIN" ]; then
HIGH…s/app-builder-lib/src/targets/appimage/appImageUtil.ts282 elif [ -x /usr/bin/kdialog ] ; then
HIGH…s/app-builder-lib/src/targets/appimage/appImageUtil.ts284 elif [ -x /usr/bin/Xdialog ] ; then
HIGH…s/app-builder-lib/src/targets/appimage/appImageUtil.ts298 elif [ -x /usr/bin/kdialog ] ; then
HIGH…s/app-builder-lib/src/targets/appimage/appImageUtil.ts300 elif [ -x /usr/bin/Xdialog ] ; then
HIGH…s/app-builder-lib/src/targets/appimage/appImageUtil.ts333 elif [ -x /usr/bin/Xdialog ] ; then
HIGH…s/app-builder-lib/src/targets/appimage/appImageUtil.ts336 elif [ -x /usr/bin/kdialog ] ; then
Slop Phrases12 hits · 20 pts
SeverityFileLineSnippet
MEDIUMpackages/app-builder-lib/scheme.json2215 "description": "A [glob patterns](https://www.electron.build/file-patterns) relative to the [app directory](ht
MEDIUMpackages/app-builder-lib/scheme.json2933 "description": "A [glob patterns](https://www.electron.build/file-patterns) relative to the [app directory](ht
MEDIUMpackages/app-builder-lib/scheme.json3571 "description": "A [glob patterns](https://www.electron.build/file-patterns) relative to the [app directory](ht
LOWpackages/app-builder-lib/scheme.json4333 "description": "The path to EULA license file. Defaults to `license.txt` or `eula.txt` (or uppercase variants)
LOWpackages/app-builder-lib/scheme.json4686 "description": "The path to EULA license file. Defaults to `license.txt` or `eula.txt` (or uppercase variants)
LOWpackages/app-builder-lib/scheme.json5664 "description": "The path to EULA license file. Defaults to `license.txt` or `eula.txt` (or uppercase variants)
MEDIUMpackages/app-builder-lib/scheme.json8587 "description": "A [glob patterns](https://www.electron.build/file-patterns) relative to the [app directory](ht
MEDIUMpackages/app-builder-lib/scheme.json9245 "description": "The [electron-download](https://github.com/electron-userland/electron-download#usage) options. (le
MEDIUMpackages/app-builder-lib/scheme.json9406 "description": "A [glob patterns](https://www.electron.build/file-patterns) relative to the [app directory](https:
LOWpackages/app-builder-lib/src/options/pkgOptions.ts66 * The path to EULA license file. Defaults to `license.txt` or `eula.txt` (or uppercase variants). In addition to `txt
MEDIUM…uilder-lib/src/options/PlatformSpecificBuildOptions.ts83You can use [file macros](https://www.electron.build/file-patterns#file-macros) in the `from` and `to` fields as well. `
LOW…ckages/app-builder-lib/src/targets/nsis/nsisOptions.ts189 * The path to EULA license file. Defaults to `license.txt` or `eula.txt` (or uppercase variants). In addition to `txt
Over-Commented Block14 hits · 14 pts
SeverityFileLineSnippet
LOWdocker/test-in-docker.sh21# can clean them up in subsequent steps without EACCES. We derive the host
LOWtest/src/HoistTest.ts81 // it(`should support simple cyclic peer dependencies`, () => {
LOWtest/src/HoistTest.ts101
LOWtest/src/HoistTest.ts121 }
LOWtest/src/HoistTest.ts261 // . -> A -> B
LOWtest/src/HoistTest.ts381 // -> F -> G -> B@X -> C@X -> D@X
LOWtest/src/HoistTest.ts421 "B@X#1": { dependencies: [`C@Y`], peerNames: [`C`] },
LOWtest/src/HoistTest.ts521 // -> B@X
LOWtest/src/updater/test-specific-platforms.sh1#!/bin/bash
LOWtest/src/linux/test-snap.sh1#!/bin/bash
LOWtest/src/linux/test-snap.sh21#
LOWtest/src/linux/test-snap.sh61export TEST_FILES="${TEST_FILES:-snapTest,snapHeavyTest}"
LOW…-updater/src/windowsExecutableCodeSignatureVerifier.ts21
LOWpackages/builder-util-runtime/src/uuid.ts221
Verbosity Indicators6 hits · 12 pts
SeverityFileLineSnippet
LOWpackages/app-builder-lib/src/codeSign/certInfo.ts247 // Step 1: D = ID byte repeated v times
LOWpackages/app-builder-lib/src/codeSign/certInfo.ts250 // Step 2: S = salt bytes repeated to fill ceil(salt.length / v) * v bytes
LOWpackages/app-builder-lib/src/codeSign/certInfo.ts257 // Step 3: P = password bytes repeated to fill ceil(password.length / v) * v bytes
LOWpackages/app-builder-lib/src/codeSign/certInfo.ts264 // Step 4: I = S || P (mutable, updated in step 6C)
LOWpackages/app-builder-lib/src/codeSign/certInfo.ts389 // Step 1: Verify MAC (or signature) integrity and parse the AuthenticatedSafe container.
LOWpackages/app-builder-lib/src/codeSign/certInfo.ts408 // Step 2: Iterate over the authenticated-safe ContentInfos and extract all certificates.
AI Slop Vocabulary3 hits · 8 pts
SeverityFileLineSnippet
MEDIUMpackages/app-builder-lib/scheme.json427 "description": "Bitbucket options.\nhttps://bitbucket.org/\nDefine `BITBUCKET_TOKEN` environment variable.\n\nFor
MEDIUM…/src/node-module-collector/yarnNodeModulesCollector.ts6// Instead of parsing Yarn's custom NDJSON output, we leverage npm's list command
MEDIUMpackages/app-builder-lib/src/toolsets/linux.ts93 // nullish and 0.0.0 are both considered legacy, but utilize an upstream dependency to download runtimes, so thus, we
Redundant / Tautological Comments1 hit · 2 pts
SeverityFileLineSnippet
LOWtest/src/linux/test-snap.sh111# Set SNAP_CORE to test a single core (ideal for CI matrix jobs).
Fake / Example Data1 hit · 1 pts
SeverityFileLineSnippet
LOWtest/src/cliTest.ts208 expect(quoteString("Acme Corp")).toBe("Acme Corp")